System and method for securing documents prior to transmission

ABSTRACT

A system and method for securing documents transmitted through document sharing systems disclosed. The system and method apply security rules to an electronic document as it is being composed to ensure that the security policies have been expressed prior to the document being transmitted. The security program hooks in to the message object model so that as the message is modified, the security rules are applied to each modification

PRIORITY CLAIM

This application claims priority as a continuation-in-part to U.S.patent application Ser. No. 15/380,695, filed on Dec. 15, 2016 and as acontinuation to U.S. patent application Ser. No. 13/962,096 filed onAug. 8, 2013 which claims priority as a non-provisional utility to U.S.Provisional App. No. 61/858,154 filed Jul. 25, 2013, all of which arehereby incorporated by reference in their entireties for all that theyteach.

FIELD OF INVENTION

The present invention generally relates to the field of digital documentmanagement and security. More particularly, the present inventionrelates to methods and systems for determining whether the transmissionof a document on a computer network would comply with security policiesset by the system operator.

BACKGROUND

In the modern office workplace, documents are now embodied in digitaldata files. These files are readily transmitted over digitalcommunications networks. The typical office is comprised of severalcomputers that share a local network connection, where all of thecomputers on that local connection are part of one company or, from asecurity perspective, one locus. The typical office work involvingtransactions requires sharing documents between two companies, forexample, that is, a document may have to be shared between two networkloci. In this case, a document may be transmitted from the local networkout across a wider network to some other loci associated with the othercompany. The security policy of the first company may require that eachdocument be checked prior to such a transmission outside the securelocus.

The problem faced by most computers in the office context is that anemail program or other communication program is used to transmit orcause the transmission of the document as a MIME attachment, in the caseof email, or in some other way relying on FTP, HTTP or other networkprotocols. Email is typically insecure, and transmission outside thesecurity locus may be impermissible anyway. Therefore the securitypolicy for each document has to be checked for each such email or othertransmission. In the prior art, the email program relies on externalcode modules to perform the security check. These modules are typicallyinvoked when the email program is given the command to transmit theemail message. The problem with this approach is that nothing ensuresthe order of execution of these external code modules. As a result, thisapproach is prone to error and therefore is a security vulnerability. Inaddition, document sharing using these systems has a similar problemwhere a document is composed on the system, and the document itself canhave designated recipients associated with the document, such that thesystem will transmit the document to recipients either automatically orshould the recipients request the.

DESCRIPTION OF THE FIGURES

The headings provided herein are for convenience only and do notnecessarily affect the scope or meaning of the claimed invention. In thedrawings, the same reference numbers and any acronyms identify elementsor acts with the same or similar structure or functionality for ease ofunderstanding and convenience. To easily identify the discussion of anyparticular element or act, the most significant digit or digits in areference number refer to the Figure number in which that element isfirst introduced (e.g., element 104 is first introduced and discussedwith respect to FIG. 1).

FIG. 01. Flow chart depicting the process of updating security policyrules.

FIG. 02. Flowchart depicting the process of monitoring and checking anemail message as it is composed.

FIG. 03. Basic architecture diagram for the system with a secure locusconnected to an external locus.

FIG. 04. Basic architecture diagram for the system with the usercomputer operating with a public email server outside of a secure locus.

DETAILED DESCRIPTION

Various examples of the invention will now be described. The followingdescription provides specific details for a thorough understanding andenabling description of these examples. One skilled in the relevant artwill understand, however, that the invention may be practiced withoutmany of these details. Likewise, one skilled in the relevant art willalso understand that the invention can include many other features notdescribed in detail herein. Additionally, some well-known structures orfunctions may not be shown or described in detail below, so as to avoidunnecessarily obscuring the relevant description. The terminology usedbelow is to be interpreted in its broadest reasonable manner, eventhough it is being used in conjunction with a detailed description ofcertain specific examples of the invention. Indeed, certain terms mayeven be emphasized below; however, any terminology intended to beinterpreted in any restricted manner will be overtly and specificallydefined as such in this Detailed Description section. Where thespecification recites an email program, other communication programs mayequally apply. For example, various kinds of instant messaging programsalso may be used to transmit documents using FTP or IRC protocols.

The method and system operates on one or more computers. In oneembodiment, the user's computer is connected within the secure locus toa local server. The user computer operates the email client, and theserver operates as an email server. When the user computer transmits anemail it is sent to the server, which then routes the transmission outof the first secure locus to another locus. In another embodiment, theuser computer may be a mobile device that may be operating outside thelocal network and sending emails using a publicly available emailserver. In this embodiment, if the mobile device (400) retrieves adocument from the secure locus, by means of authenticating itself with adocument management system that manages a document server (404). Themobile device may still introduce a security vulnerability if thedocument is attached to an email and transmitted further on to therecipient (402) using a public server (401). Or, the document may bedesignated in the document management system to be available to a personor a location destination for further transmission. In either case, thedocument has to be reliably checked before the user's email or othercommunication program attempts to transmit the message containing thedocument.

In the preferred embodiment, the server also contains a data structurestored within it that organizes logical rules that are referred to as“policies.” The policies dictate how a document that is attached to anemail is to be treated. The user computer retains a local cache copy ofthe current policies. Referring to FIG. 1, when the email clientoperating on the user's computer 100 launches, it checks whether it isusing the server policies 101. If so, then it checks whether there areany updates to the server policies 102. If so, the new policies aredownloaded 103, to the local cache 104. By this process, the local emailclient operating on the user's computer has current security policiesfor the security locus that it operates in. Once the policies are inplace in the local cache, the email client operating on the usercomputer can then access the policies, which are in the form of logicalrules, to process email messages.

In one embodiment, the email program operating on the user's computermay be configured so that the documents that are attached to messages,referred to in FIG. 2 as an “attachment”, can be transmitted incompliance with the security policies. When the user commands theprogram to compose an email message, 200, this becomes an interactiveprocess. If the user adds an attachment, the system then checks whetherthat attachment has an applicable policy 202. If so, then it checkswhether the email message, prior to transmission, has a recipient 203.If so, then the system checks whether there is a security policy thatapplies to that recipient 205. If so, then the system automaticallyexecutes a remedial action as indicated by the security policy 206. As aresult, the user interface of the user's computer will be modified inorder to announce that this has been done 207. Returning now to theemail message, if no email recipient has been specified yet, then theemail, including the attachment is scanned for security policyviolations separate from ones based on recipient identity 204. Returningto the composing of the email, 200, if a recipient gets added to themessage, then the system checks whether there is an attachment in themessage. If so, then the checking process begins again at 202.

The advantage of this approach is that the outgoing message is checkedfor adherence to security policies as it is being composed. While priorart approaches to email security execute security checks after the emailis designated for sending, this introduces a risk of security failure.To the extent the additional code modules that execute the securitychecks are external to the email program itself, there is a risk ofcompatibility problems, where one code module that works with the email,for example, a document management plug-in, conflicts with the securitycheck module. The present invention avoids this problem by running thesecurity checks while the email is being composed. In addition, theemail message can automatically be fixed in accordance with the securitypolicies.

The system operates by hooking into the email client program. In oneembodiment, the system hooks into the Outlook™ object model. The objectoriented computing construct permits the system to respond to the caseswhen a document is added to a message being composes or when recipientsare added. The system creates a temporary file when the email is firstcreated, and then stores logical values representing the results ofapplying the security policy rules each time the Outlook object modelalerts the system that the email message object has been changed, forexample, by adding recipients or adding attachments. Each modificationof the email message object, while it is being composed, will triggerthe security system logic. The system can thereby execute the logic forapplying the security policy rules to an email message prior to themessage being sent.

In one embodiment, a policy can be expressed in logic that checkswhether a destination of a recipient is external to the security locus.The rule may require in those cases that any documents be collapsed intoflat images that cannot be modified. Or the rule may prohibit editabledocument formats from leaving the security locus. And further, thesecurity policy may query a document management system using thefilename or other indicia or metadata in the attachment to determine ifthe document management system has indicated that the document cannotleave the security locus. In that case, the attachment is removed fromthe email.

In one embodiment, the policy rule can be expressed as conditional logicstatement. In the following example, the security rule check whether theemail message is going outbound, and if so, whether there is anattachment, and if so, if it is a Word™ document, and if so, itautomatically converts it to a PDF and makes that .pdf file theattachment:

If email.recipient.domain< >home_domain AND email.attachment=1 ANDemail.attachment.extension=“.doc” THENemail.attachment.filename=pdfconvert(email.attachment.filename);

In another embodiment, the rule checks the user's authority to transmita document externally to the security locus, and if the security leveldoesn't match the security level of the document, then the attachment isremoved from the message and a notification is transmitted to a datasecurity officer:

If email.recipient.domain< >home_domain AND email.attachment=1 ANDemail.sender.security_level< >email.attachment.filename.security_levelTHEN (email.attachment=0; notify_security(email.user);)

These security policy rules can be stored in a data structure either onthe server or on the user's computer. When the system detects a changein the email object, then the security rules can be checked and actedupon.

Another advantage of this approach is that different policies may applyto different recipients. In this embodiment, an email that has aPowerpoint™ file as an attachment may have a recipient within thesecurity locus and a recipient external to that locus. The policy mayindicate that any external transmissions of Powerpoint slide decks mustbe in PDF™ format. As a result, the system can call on additionalmodules to create a tandem email message to the external recipient thathas the same file in the PDF™ format as the attachment, while the firstemail message for the internal recipients receive the Powerpoint fileitself. Similarly, a security policy can call a module that for anyexternal transmission of a document, inserts a confidentiality noticeinto the first page or footer of each page of the documentautomatically.

Other types of security policies for attachments can be established bymeans of establishing rule logic that can be executed by the usersystem. In one embodiment, the policy rule can apply to the userthemselves: a user may not have permission to transmit a particulardocument, document file type or document department designation. In thecase of a department designation, it may be that certain documents aretagged in the document management system as being associated with thehuman resources department, or the finance department or the researchand development department. The policies may encode rules that prohibitcertain users from transmitting certain department designated documentsoutside the security locus. In addition, a security policy may prohibitattaching any document from with particular department designations, forexample, human resources or research and development. The securitypolicy can also encode a rule that causes the system to transmit amessage to a particular second user in the event a particular securitypolicy is violated. For example, if a low-level user attempts to attacha sensitive research and development document to an email beingtransmitted to a recipient outside the security locus, this violationcan be logged, including making a copy of the message and delivering themessage or notice of such message to personnel responsible for datasecurity. In yet another embodiment, the system can record what the userdecides to do and thereby create a log that can be used to create areport. In one case, the log is associated with the user's activity, andin another, the log is associated with the document and reports itsdisposition.

In one embodiment, the sensitivity level of a document is stored in anXML file. In another embodiment, the sensitivity level may be stored ina data record of a database. Further, the sensitivity level may bestored in any kind of data structure that may be used to obtaininformation corresponding to the document by use of a reference to thedocument. The sensitivity of a document may also be determined byexamining the content of the document itself. In this case, the rulesmay have actual text strings, or refer to text strings that areconsidered an item to filter on. For example, a new project called“Breakthrough”, may result in a rule that any document containing theword “breakthrough” cannot be emailed out of the security locus, unlessthe sender is of a certain seniority. More typically, if any documentcontains the word “confidential” in the header or footer, then thedocument is not transmitted.

An additional security policy rule can be that if a predetermined wordor phrase comprised of words is detected, these are automaticallyredacted, either by deletion of the text (with regard to documentscomprised of encoded characters) or by the modification of the actualimage of the text in order to obscure the text (for example, butapplying a black stripe to the portion of the image that contains thepredetermined word or phrase). In this case, the text string is used asa key in the filtering process. A rule can select that the entiresentence containing the word is redacted, or the entire paragraph. Otherrules can combine these parameters. For example, an isolated instance ofthe string may result in the sentence being redacted, but a paragraphcontaining more than some pre-determined number of instances would thenbe redacted in its entirety.

In yet another embodiment, the invention deals with what to do with afile that is blocked. In one embodiment, the file can be compressed, forexample, in a secure zip file. In another, the file is encrypted. In athird, the file is redacted of the sensitive information and the senton. In yet another embodiment, the system will upload the file to asecure server location, and then replace the attachment in the emailwith a hyperlink in the body of the email to that location. In thisembodiment, the link can be to a secure portal that prevents the publicfrom accessing the secure server. In addition, the system can associatesecurity attributes to the link, for example, an expiration dates,shareable/non sharable permission code, downloadable or not downloadablepermission code, password protected access or an IP address/domain lock.In yet another embodiment, the uploaded document is updated to a newversion automatically if the original version is updated. In this case,a document management system will have metadata associated with theblocked document that it may use to determine that a document beingsaved is subject to a block and that a copy is residing on the secureserver. When the document management system authorizes the saving of anew version, it can transmit a message or semaphore to the secure serverthat causes it to fetch the new version and to place the new version inthe place of the older version. Alternatively, the system can transmitthe document directly to the secure server. In the absence of a formaldocument management system, an owner of the updated document can uploadthe updated version.

In yet another embodiment, a document may be used to create a uniquecharacteristic number by means of processing the encoded characterscomprising the document through an algorithm so that the resultingcharacteristic number is unique to that version of that document. Inthis case, the characteristic number may be used as a key in a securityrule. Alternatively, a code number may be embedded in a document in amanner that is not apparent or easily removed. This may be done usingsteganography. In this case, the invention may check a document that isattached to an email for this embedded code, or fingerprint, and thenbased on its value, determine an action to take.

Operating Environment:

The invention may be implemented by means of an algorithmic statemachine. The simplest approach uses a two state machine:00: Wait for a notification of change in the message, then go to State01.01: Apply the security rules and return to State 00.

In one embodiment, the state machine may have three states, with threetransition conditions:

00: Wait for a notification of change in the message, then go to State01.01: Determine what type of security situation is implicated, e.g.recipient, document, or body of the email, then go to State 02.02: Apply the family of security rules for that type of securitysituation to the detected change, return to State 00.

In one embodiment of the invention, an administrator can provide a userthe privilege of selecting which rules to apply, or simply apply therule regardless or a combination thereof. In this approach, there is afour state machine:

00: Wait for a notification of change in the message, then go to State01.01: Determine what type of security situation is implicated, e.g.recipient, document, or body of the email, display to the user aselection option, then go to State 02.02: Wait on user input of a selection, then go to State 03.03: Apply the family of security rules selected by the user the detectedchange, return to State 00.

Those skilled in the relevant art will appreciate that the invention canbe practiced with other communications, data processing, or computersystem configurations, including: wireless devices, Internet appliances,hand-held devices (including personal digital assistants (PDAs)),wearable computers, all manner of cellular or mobile phones,multi-processor systems, microprocessor-based or programmable consumerelectronics, set-top boxes, network PCs, minicomputers, mainframecomputers, and the like. Indeed, the terms “computer,” “server,” and thelike are used interchangeably herein, and may refer to any of the abovedevices and systems. In some instances, especially where the mobilecomputing device 104 is used to access web content through the network110 (e.g., when a 3G or an LTE service of the phone 102 is used toconnect to the network 110), the network 110 may be any type ofcellular, IP-based or converged telecommunications network, includingbut not limited to Global System for Mobile Communications (GSM), TimeDivision Multiple Access (TDMA), Code Division Multiple Access (CDMA),Orthogonal Frequency Division Multiple Access (OFDM), General PacketRadio Service (GPRS), Enhanced Data GSM Environment (EDGE), AdvancedMobile Phone System (AMPS), Worldwide Interoperability for MicrowaveAccess (WiMAX), Universal Mobile Telecommunications System (UMTS),Evolution-Data Optimized (EVDO), Long Term Evolution (LTE), Ultra MobileBroadband (UMB), Voice over Internet Protocol (VoIP), Unlicensed MobileAccess (UMA), etc.

The user's computer may be a laptop or desktop type of personalcomputer. It can also be a cell phone, smart phone or other handhelddevice, including a tablet. The precise form factor of the user'scomputer does not limit the claimed invention. Examples of well knowncomputing systems, environments, and/or configurations that may besuitable for use with the invention include, but are not limited to,personal computers, server computers, hand-held, laptop or mobilecomputer or communications devices such as cell phones and PDA's,multiprocessor systems, microprocessor-based systems, set top boxes,programmable consumer electronics, network PCs, minicomputers, mainframecomputers, distributed computing environments that include any of theabove systems or devices, and the like.

The system and method described herein can be executed using a computersystem, generally comprised of a central processing unit (CPU) that isoperatively connected to a memory device, data input and outputcircuitry (I/O) and computer data network communication circuitry. Avideo display device may be operatively connected through the I/Ocircuitry to the CPU. Components that are operatively connected to theCPU using the I/O circuitry include microphones, for digitally recordingsound, and video camera, for digitally recording images or video. Audioand video may be recorded simultaneously as an audio visual recording.The I/O circuitry can also be operatively connected to an audioloudspeaker in order to render digital audio data into audible sound.Audio and video may be rendered through the loudspeaker and displaydevice separately or in combination. Computer code executed by the CPUcan take data received by the data communication circuitry and store itin the memory device. In addition, the CPU can take data from the I/Ocircuitry and store it in the memory device. Further, the CPU can takedata from a memory device and output it through the I/O circuitry or thedata communication circuitry. The data stored in memory may be furtherrecalled from the memory device, further processed or modified by theCPU in the manner described herein and restored in the same memorydevice or a different memory device operatively connected to the CPUincluding by means of the data network circuitry. The memory device canbe any kind of data storage circuit or magnetic storage or opticaldevice, including a hard disk, optical disk or solid state memory.

The computer can display on the display screen operatively connected tothe I/O circuitry the appearance of a user interface. Various shapes,text and other graphical forms are displayed on the screen as a resultof the computer generating data that causes the pixels comprising thedisplay screen to take on various colors and shades. The user interfacealso displays a graphical object referred to in the art as a cursor. Theobject's location on the display indicates to the user a selection ofanother object on the screen. The cursor may be moved by the user bymeans of another device connected by I/O circuitry to the computer. Thisdevice detects certain physical motions of the user, for example, theposition of the hand on a flat surface or the position of a finger on aflat surface. Such devices may be referred to in the art as a mouse or atrack pad. In some embodiments, the display screen itself can act as atrackpad by sensing the presence and position of one or more fingers onthe surface of the display screen. When the cursor is located over agraphical object that appears to be a button or switch, the user canactuate the button or switch by engaging a physical switch on the mouseor trackpad or computer device or tapping the trackpad or touchsensitive display. When the computer detects that the physical switchhas been engaged (or that the tapping of the track pad or touchsensitive screen has occurred), it takes the apparent location of thecursor (or in the case of a touch sensitive screen, the detectedposition of the finger) on the screen and executes the processassociated with that location. As an example, not intended to limit thebreadth of the disclosed invention, a graphical object that appears tobe a 2 dimensional box with the word “enter” within it may be displayedon the screen. If the computer detects that the switch has been engagedwhile the cursor location (or finger location for a touch sensitivescreen) was within the boundaries of a graphical object, for example,the displayed box, the computer will execute the process associated withthe “enter” command. In this way, graphical objects on the screen createa user interface that permits the user to control the processesoperating on the computer.

The system may be comprised of a central server that is connected by adata network to a user's computer. The central server may be comprisedof one or more computers connected to one or more mass storage devices.The precise architecture of the central server does not limit theclaimed invention. In addition, the data network may operate withseveral levels, such that the user's computer is connected through afire wall to one server, which routes communications to another serverthat executes the disclosed methods. The precise details of the datanetwork architecture do not limit the claimed invention.

A server may be a computer comprised of a central processing unit with amass storage device and a network connection. In addition a server caninclude multiple of such computers connected together with a datanetwork or other data transfer connection, or, multiple computers on anetwork with network accessed storage, in a manner that provides suchfunctionality as a group. Practitioners of ordinary skill will recognizethat functions that are accomplished on one server may be partitionedand accomplished on multiple servers that are operatively connected by acomputer network by means of appropriate inter process communication. Inaddition, the access of a website can be by means of an Internet browseraccessing a secure or public page or by means of a client programrunning on a local computer that is connected over a computer network tothe server. A data message and data upload or download can be deliveredover the Internet using typical protocols, including TCP/IP, HTTP, SMTP,RPC, FTP or other kinds of data communication protocols that permitprocesses running on two remote computers to exchange information bymeans of digital network communication. As a result a data message canbe a data packet transmitted from or received by a computer containing adestination network address, a destination process or applicationidentifier, and data values that can be parsed at the destinationcomputer located at the destination network address by the destinationapplication in order that the relevant data values are extracted andused by the destination application.

The invention may also be practiced in distributed computingenvironments where tasks are performed by remote processing devices thatare linked through a communications network. In a distributed computingenvironment, program modules may be located in both local and remotecomputer storage media including memory storage devices. Practitionersof ordinary skill will recognize that the invention may be executed onone or more computer processors that are linked using a data network,including, for example, the Internet. In another embodiment, differentsteps of the process can be executed by one or more computers andstorage devices geographically separated by connected by a data networkin a manner so that they operate together to execute the process steps.In one embodiment, a user's computer can run an application that causesthe user's computer to transmit a stream of one or more data packetsacross a data network to a second computer, referred to here as aserver. The server, in turn, may be connected to one or more mass datastorage devices where the database is stored. The server can execute aprogram that receives the transmitted packet and interpret thetransmitted data packets in order to extract database query information.The server can then execute the remaining steps of the invention bymeans of accessing the mass storage devices to derive the desired resultof the query. Alternatively, the server can transmit the queryinformation to another computer that is connected to the mass storagedevices, and that computer can execute the invention to derive thedesired result. The result can then be transmitted back to the user'scomputer by means of another stream of one or more data packetsappropriately addressed to the user's computer.

Computer program logic implementing all or part of the functionalitypreviously described herein may be embodied in various forms, including,but in no way limited to, a source code form, a computer executableform, and various intermediate forms (e.g., forms generated by anassembler, compiler, linker, or locator.) Source code may include aseries of computer program instructions implemented in any of variousprogramming languages (e.g., an object code, an assembly language, or ahigh-level language such as FORTRAN, C, C++, JAVA, or HTML or scriptinglanguages that are executed by Internet web-browsers) for use withvarious operating systems or operating environments. The source code maydefine and use various data structures and communication messages. Thesource code may be in a computer executable form (e.g., via aninterpreter), or the source code may be converted (e.g., via atranslator, assembler, or compiler) into a computer executable form.

The invention may be described in the general context ofcomputer-executable instructions, such as program modules, beingexecuted by a computer. Generally, program modules include routines,programs, objects, components, data structures, etc., that performparticular tasks or implement particular abstract data types. Thecomputer program and data may be fixed in any form (e.g., source codeform, computer executable form, or an intermediate form) eitherpermanently or transitorily in a tangible storage medium, such as asemiconductor memory device (e.g., a RAM, ROM, PROM, EEPROM, orFlash-Programmable RAM), a magnetic memory device (e.g., a diskette orfixed hard disk), an optical memory device (e.g., a CD-ROM or DVD), a PCcard (e.g., PCMCIA card), or other memory device. The computer programand data may be fixed in any form in a signal that is transmittable to acomputer using any of various communication technologies, including, butin no way limited to, analog technologies, digital technologies, opticaltechnologies, wireless technologies, networking technologies, andinternetworking technologies. The computer program and data may bedistributed in any form as a removable storage medium with accompanyingprinted or electronic documentation (e.g., shrink wrapped software or amagnetic tape), preloaded with a computer system (e.g., on system ROM orfixed disk), or distributed from a server or electronic bulletin boardover the communication system (e.g., the Internet or World Wide Web.) Itis appreciated that any of the software components of the presentinvention may, if desired, be implemented in ROM (read-only memory)form. The software components may, generally, be implemented inhardware, if desired, using conventional techniques.

The described embodiments of the invention are intended to be exemplaryand numerous variations and modifications will be apparent to thoseskilled in the art. All such variations and modifications are intendedto be within the scope of the present invention as defined in theappended claims. Although the present invention has been described andillustrated in detail, it is to be clearly understood that the same isby way of illustration and example only, and is not to be taken by wayof limitation. It is appreciated that various features of the inventionwhich are, for clarity, described in the context of separate embodimentsmay also be provided in combination in a single embodiment. Conversely,various features of the invention which are, for brevity, described inthe context of a single embodiment may also be provided separately or inany suitable combination. It is appreciated that the particularembodiment described in the specification is intended only to provide anextremely detailed disclosure of the present invention and is notintended to be limiting.

It should be noted that the flow diagrams are used herein to demonstratevarious aspects of the invention, and should not be construed to limitthe present invention to any particular logic flow or logicimplementation. The described logic may be partitioned into differentlogic blocks (e.g., programs, modules, functions, or subroutines)without changing the overall results or otherwise departing from thetrue scope of the invention. Oftentimes, logic elements may be added,modified, omitted, performed in a different order, or implemented usingdifferent logic constructs (e.g., logic gates, looping primitives,conditional logic, and other logic constructs) without changing theoverall results or otherwise departing from the true scope of theinvention.

Also, while processes or blocks are at times shown as being performed inseries, these processes or blocks may instead be performed orimplemented in parallel, or may be performed at different times.

1. A method executed by a computer system for securing an electronicdocument comprised of data stored on the computer system, that is in thestate of being modified by a user as a result of the user operating acomputer program running on said computer system comprising:automatically detecting a change in one of at least one predeterminedconditions corresponding to the data representing the electronicdocument, during the period that the electronic document is in the stateof being modified; in response to the automatic detection of the changeof the predetermined condition, applying a security policy rule to thedata representing the electronic document while the electronic documentremains in the state of being modified, said security policy beingselected by the computer system in dependence on which of the at leastone of the plurality of predetermined conditions was detected as havingbeen changed. 2-30. (canceled)